In April 2026, two European data protection authorities published guidance on the same topic within weeks of each other. France’s CNIL and Italy’s Garante both issued rules on tracking pixels in email: the small, invisible images that report back to a sender’s server the moment a recipient opens a message.
If you send an email to recipients in either country, those rules now affect how you can use open tracking. If you send an email elsewhere in Europe, they do not currently. But the direction of travel is worth watching.
What France and Italy have said
The CNIL adopted its recommendation on 12 March 2026 and published it on 14 April. The Garante followed on 17 April with Provision No. 284, a binding measure (the CNIL’s is a best-practice recommendation). Both start from the same premise: a tracking pixel is functionally equivalent to a cookie.
Both France & Italy make exemptions. Open tracking used purely to manage list hygiene (suppressing inactive recipients, adjusting sending frequency) may not require consent, provided the data collected is limited to what is strictly necessary. Authentication-related signals, fraud detection, and mandatory institutional notices also fall outside the consent requirement in certain conditions. But open tracking used to measure campaign performance, build recipient profiles, or feed any kind of behavioural analysis: that requires explicit, granular, purpose-specific consent under both frameworks.
The two measures are not identical. The Garante’s provision is a binding law with a six-month compliance window from publication in the Official Gazette. The CNIL’s recommendation is guidance, with a deadline of 14 July 2026 for organisations to inform existing contacts and provide a means for them to object. Both treat consent as something that must be obtained at the point of data collection, must be withdrawable at any time, and cannot be bundled into general marketing consent.
Does this affect everyone in Europe?
Not yet, and it is worth being precise about this. These are national-level measures, grounded in how France and Italy have implemented the directive through their own laws. They apply when you send emails to recipients located in those countries. Other EU member states have not published equivalent guidance. There is no pan-European rule specifically on tracking pixels in force at the time of writing.
However, the fact that two authorities moved simultaneously, citing the same logic, suggests other regulators are watching. Senders with significant audiences in France or Italy will need to act accordingly. Senders elsewhere in Europe may want to start thinking about how they would respond if similar guidance were to arrive in their markets.
The practical problem for transactional email senders
Transactional email sits in a more favourable position than marketing email under both frameworks. If your open tracking serves a genuine operational purpose (e.g., confirming delivery to adjust sending behaviour, or identifying inactive addresses for suppression), both the CNIL and the Garante indicate that consent may not be required. The condition is that the tracking is limited, that the data is not used for any purpose beyond that operational need, and that the processing is proportionate.
The problem is that most email platforms track opens uniformly. A single tracking pixel is included in every message; the data flows into the same analytics pipeline, and the sender has little or no ability to differentiate by recipient, consent status, or purpose. That architecture does not fit well with what France and Italy are now requesting: targeted, conditional, purposeful tracking that respects the specific legal basis (or lack thereof) for each recipient.
What to do if you send to France or Italy
The immediate steps depend on your current setup and your audience, but the general direction is straightforward.
- Audit which flows include open tracking and whether any of those flows have recipients based in France or Italy.
- Determine whether your tracking is serving a purpose that falls within the operational exemptions (list hygiene, inactive suppression) or whether it is primarily analytical or campaign-measurement in nature.
- If it is the latter, and you do not have valid consent from French and Italian recipients, configure your SendPro flows to exclude open tracking for those segments until consent collection is in place.
- Review your consent collection process at the point of email address capture, and add clear, purpose-specific information about pixel tracking where required.
The CNIL’s July deadline and the Garante’s six-month transitional period give some breathing room for existing lists. For new addresses collected after these rules came into force, compliance is expected immediately.
Some questions answered
Do the CNIL and Garante rules on tracking pixels apply across the whole EU?
No. The CNIL recommendation applies in France; the Garante provision applies in Italy. Both are based on how those countries have implemented the ePrivacy Directive in national law. No other EU member state has published equivalent guidance on tracking pixels in email at this time, though the legal logic underlying both frameworks is broadly consistent with GDPR principles that apply EU-wide.
Is open tracking in transactional email always prohibited under the new French and Italian rules?
No. Both the CNIL and the Garante allow open tracking without consent where it is used exclusively for operational purposes: managing list hygiene, suppressing inactive recipients, or adjusting sending frequency. The requirement for prior consent applies where tracking is used for campaign measurement, behavioural profiling, or any purpose beyond that narrow operational scope. Transactional senders should assess how their tracking data is actually used before concluding whether consent is required.
What is the compliance deadline for organisations sending email to recipients in France and Italy?
For France, the CNIL has indicated that organisations must inform existing contacts about pixel use and provide a means of objecting by 14 July 2026. For Italy, the Garante’s Provision No. 284 grants a six-month transitional period from publication in the Official Gazette (29 April 2026) for previously collected addresses. In both cases, compliance for newly collected addresses is expected immediately from the date the rules came into force.
What are common French and Italian inbox providers?
To prepare for this ruling, a simple run through your subscriber list will already help you: look for recipients at @orange.fr and @wanadoo.fr (Orange France), @laposte.net (La Poste), and @sfr.fr, @neuf.fr, @cegetel.net, @club-internet.fr, or @numericable.fr (SFR and its legacy brands) to identify your French exposure. For Italy, check for @libero.it, @virgilio.it, @iol.it, @inwind.it, and @blu.it (ItaliaOnline), @alice.it, @tim.it, and @tin.it (TIM), and @tiscali.it (Tiscali). Addresses at those domains give you a working estimate of the audience segments where open tracking now requires a consent basis.
How can I disable open tracking in Spotler SendPro?
SendPro gives you control over open tracking at the flow step level. Within a flow, you can configure conditions that determine whether open tracking is applied to a given message. That means you can exclude specific recipient groups from open tracking entirely: recipients in a particular region, recipients who have not provided tracking consent, or any other segment you define through the flow logic.
How can I disable open tracking in Spotler MailPro?
If you also use Spotler MailPro for campaign email, the same principle applies there, though the implementation differs. MailPro handles consent-conditional tracking at the mailing level: you store tracking opt-in status as a field on each recipient record, then use that field to split your audience into two separate mailings, one with tracking enabled and one without. It is a more manual approach than SendPro’s flow step conditions, but it achieves the same outcome: open tracking is applied only to recipients with a valid consent record.
If you want to understand how SendPro’s flow step conditions work in practice, or how to structure your flows to handle consent-conditional tracking, take a look at the SendPro platform or get in touch with the team.
